Login or Register to Ask a Question and Join Our Community


Solaris

DSEE 6.3.1 with TLS:simple

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris DSEE 6.3.1 with TLS:simple
# 1  
Old 05-14-2010
DSEE 6.3.1 with TLS:simple
Hello guys,

I have been trying to set up my DSEE 6.3 on Solaris 10 using proxy with tls:simple authentication. I follow all the steps mentioned in the Installation Guide on Sun's site but there is a problem with ldapclient init when I use hostname instead of IP address in the Default Server List.

Here is the config for default profile :

1 Domain to serve : test.ldap
2 Base DN to setup : dc=test,dc=ldap
3 Profile name to create : default
4 Default Server List : pluto
5 Preferred Server List : pluto
6 Default Search Scope : one
7 Credential Level : proxy
8 Authentication Method : tls:simple
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : TRUE
13 Service Auth Method pam_ldap :
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd:
16 Search Time Limit : 30
17 Profile Time to Live : 43200
18 Bind Limit : 10
19 Enable shadow update : FALSE


ldapsearch did not work before I installed the server certificate on the client machine using certutil. after certificate is ok, then ldapearch works fine over secure port.

I initialize the Solaris 10 client with the following command :

ldapclient -v init -a proxypassword=password -a proxydn=cn=smsproxy,ou=profile,dc=test,dc=ldap -a profilename=default -a domainname=test.ldap 10.1.1.29


In ldapclien manual it says when using TLS server list in the profile should be as hostnames not IP addresses. If I use IP addresses ldapclient init is OK but ldaplist, If I use hostname then ldapclient init fails. It looks like there was a sort of name resolution problem but all the names exist in the /etc/hosts file and nsswitch.conf configured to look at files.


I hope I was able to clarify my problem. Any help would be appreciated.

Thanks,
Niyazi
# 2  
Old 05-19-2010
I have had the exact same experience as you.
If I used the Ip then ldapclient init worked as a charm but not with hostname.
Its almost as ldapclient does not resolv the hostname, just assumes its an IP and goes for it :/
# 3  
Old 05-19-2010
Noone managed to run DSEE with TLS:simple ???
# 4  
Old 05-19-2010
It worked fine for me and I was using IP addresses. By the way, the documentation doesn't states a hostname must be used when TLS is enabled, only that there should be a full match between what is in the certificate and what is in the name service (hosts or dns).
# 5  
Old 05-20-2010
Could you please send me the instructions ? The one on bigadmin site does not work. I am using Solaris 10 with the latest recommended patches applied.
# 6  
Old 05-20-2010
Please post the precise instructions you followed and show where it fails, including error messages.
# 7  
Old 05-20-2010
Hello,

I have a three test servers : ldap server, ldap client and dns server (non-global zones but not shared)

My nsswitch.conf is ok and /etc/resolv.conf on ldap server and client points to test dns server. nslookups look fine.


I install the DSEE 6.3.1 on Solaris 10 on Sparc from native packages. Everything goes well.

After the software installation, I login to java web console and initialize dscc registry. No errors.

I create a server instance with the default settings.


I run /usr/lib/ldap/idsconfig

here is summary output:


Summary of Configuration

1 Domain to serve : test.ldap
2 Base DN to setup : dc=test,dc=ldap
Suffix to create : dc=test,dc=ldap
Database to create : test
3 Profile name to create : default
4 Default Server List : 10.1.1.28:1389
5 Preferred Server List : 10.1.1.28:1389
6 Default Search Scope : sub
7 Credential Level : proxy
8 Authentication Method : tls:simple
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : FALSE
13 Service Auth Method pam_ldap :
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd:
16 Search Time Limit : 30
17 Profile Time to Live : 43200
18 Bind Limit : 10
19 Enable shadow update : FALSE
20 Service Search Descriptors Menu


I enter the password for proxy agent and the default schema is initialized with no errors.

Now, I export my server certificate from ldap server with the following command :


# /opt/SUNWdsee/ds6/bin/dsadm export-cert -o /tmp/server-certificate /space/DS/ds1 defaultCert



I copy this certificate to the client machine and before importing the cert I run ldapsearch command



# ldapsearch -v -h 10.1.1.28 -p 1686 -Z -P /var/ldap/cert8.db -b "dc=test,dc=ldap" -s base "objectclass=*"


can not connect to ldap server.


I import the certificate into client cert db using : (* cert db is initialized with /usr/sfw/bin/certutil -N -d /var/ldap )

/usr/sfw/bin/certutil -A -i /tmp/server-certificate -n "Server Certificate" -t "CT" -d /var/ldap


I run the ldapsearch command again and it works fine. This means SSL is working and my certificate is installed properly, right ?


Now I initialize the client with ldapclient command :

# ldapclient -v init -a proxypassword=password -a proxydn=cn=proxyagent,ou=profile,dc=test,dc=ldap -a domainname=test.ldap -a certificatePath=/var/ldap 10.1.1.28

success...

I remove ldap [NOTFOUND=return] line from my nsswitch.conf

ldapsearch command works fine again but ldaplist command fails with no available connection error. I could not find any way to debug the failure.

on ldap client /var/adm/messages shows :

May 18 09:06:55 eris ldap_cachemgr[23856]: [ID 293258 daemon.warning] libsldap: Status: 91 Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
May 18 09:06:55 eris ldap_cachemgr[23856]: [ID 292100 daemon.warning] libsldap: could not remove 10.1.1.28 from servers list
May 18 09:06:55 eris ldap_cachemgr[23856]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no available conn.
May 18 09:06:55 eris ldap_cachemgr[23856]: [ID 186574 daemon.error] Error: Unable to refresh profile:default: Session error no available conn.



Thank you for help.
Last edited by niyazi; 05-20-2010 at 04:38 AM..
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Solaris

How to configure CUPS on Solaris 11.3 - TLS and no TLS?

We are implementing CUPS on a new Solaris 11.3 system. The same system will run an application where users can print to networked printers inside our organisation, or to a printer outside of our organisation over the internet. For users printing to internal network printers, no encryption is... (0 Replies)
Discussion started by: SallyB
0 Replies

2. AIX

AIX sendmail and tls

The situation Version AIX7.1/8.14.4 Compiled with: DNSMAP LDAPMAP LDAP_REFERRALS LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NDBM NETINET NETINET6 NETUNIX NEWDB NIS NISPLUS PIPELINING SCANF STARTTLS USERDB USE_LDAP_INIT XDEBUG... (2 Replies)
Discussion started by: Linusolaradm1
2 Replies

3. HP-UX

Sendmail TLS and Certificate?

We are running HP-UX 11v1 and are about to upgrade sendmail to 8.13.3 to allow support for TLS. Enabling TLS seems pretty straightforward, but I'm wondering if an SSL certificate is required for this. Our MS Exchange server does use a certificate. Do I need to arrange for a public certificate to... (3 Replies)
Discussion started by: jduehmig
3 Replies

4. UNIX for Advanced & Expert Users

FTP over implicit TLS

Here are the essentials: un: myuser pw: mypasswd site: sftp.somesite.com port: 990 type: FTPS enc: FTP over implicit TLS program used: Curl 7.1.x on Hpux 11.31 I would like to "put" 1 file on there server. Here is my syntax, what am I doing wrong? curl -3 -v --cacert... (4 Replies)
Discussion started by: olyanderson
4 Replies

5. UNIX for Advanced & Expert Users

SSL/TLS with openldap

Hello to all, I'm beguinner in Linux instalations and I'm trying to Communicate from Web Sites that i have running under apache with openLDAP for users authentication using SSL mediation that seems to be connected with LDAPS. Can someone advise me how to do this, I have already installed... (1 Reply)
Discussion started by: CPMarco
1 Replies

6. Cybersecurity

How to disable TLS 1.0 support in Solaris

Hey Guys, I have a couple servers that are getting flagged by by our network security team. How do I disable TLS 1.0 protocol within Solaris? The vulnerability is : CVE-2011-3389 TLS-SSL Server Blockwise Chosen-Boundary Browser Weakness (2 Replies)
Discussion started by: s ladd
2 Replies

7. UNIX for Advanced & Expert Users

ldap over tls -- ssl cert help

Hey Guys, I am trying to setup ldap over tls in our lab. I am generating a self signed cert on the ldap server and importing that into the ldap system so it will use ldap over port 636. The clients will be a mix of solaris and redhat. I am lost on what I need to do on the client side to get... (0 Replies)
Discussion started by: s ladd
0 Replies

8. UNIX for Dummies Questions & Answers

TLS/SSL Openldap Centos 5.5

hi guys I configured my openldap but now I want to implement SSL-TLS This is my basic slapd.conf configuration include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include ... (2 Replies)
Discussion started by: karlochacon
2 Replies

9. Emergency UNIX and Linux Support

DSEE LDAP corruption

Today when someone was using Sun Identity Manager to modify a directory managed by Sun Directory Server Enterprise Edition (DSEE 6.3) IDM spit out an object class violation error (I verified that the input data was valid). It also corrupted the directory to the point where I can't even get dsadm to... (7 Replies)
Discussion started by: ilikecows
7 Replies

10. UNIX for Advanced & Expert Users

How ldap authentiation works with TLS?

I am confused in understanding, how ldap authentication works. Anyone has any idea ? I also want to know when you create certificate where does openldap stores certificate information. $nilesh (1 Reply)
Discussion started by: ynilesh
1 Replies
Login or Register to Ask a Question